After many months of rumours, Apple ended up introducing its famous AirTags in April. These tiny devices use Ultra Wide Band (UWB) technology so their geolocation is accurate even indoors.

The purpose of this device is that users can use them as keychains to avoid losing keys and wallets. If that happened, it would only be enough to use the iPhone to track and find the disk. But a cybersecurity specialist has just discovered another much more sinister functionality for these AirTags.

Baits. AirTags can be used as bait for iPhone users who in good faith understand that the device they have passed on the street is a lost item and needs to be reported. Bobby Rauch has been the specialist who has detected this zero-day vulnerability, that is, that gap for which there is still no security patch.

"I don't remember any case like this, in which small, low-cost consumer devices can be transformed into weapons like this," acknowledges Rauch in his blog article detailing his investigation, which is also collected by the Tom's Guide portal.

The mechanics are simple, which makes this vulnerability particularly dangerous. When a user finds a missing AirTag, he can scan the device with his mobile. A found.apple.com address followed by a code is automatically generated. The page details both the serial number of the lost AirTag and the phone number of its legitimate owner, to deliver it.

A former Apple worker criticizes that the option so that apps do not track you on iPhone is a trap to give a false sense of privacy

The code generated on the found.apple.com website (unique and non-transferable for each AirTag and user) is susceptible to a cybercriminal injecting XSS code, so that when a third party scans the AirTag to return it to its owner, this page may be infected.

Since Apple's process requires users to log in with their account to contact the owner of the AirTag, what the injected XSS code can do at that point is direct the victim to a fake page that pretends to be the real form. to sign in Apple. On that fake page, the criminal will only have to install a keylogger to steal the credentials.

In fact, to access the page offered by an AirTag device recently found on the street, you do not need to log in to Apple. It automatically offers the contact telephone number of the legitimate owner. But as Rauch explains, because AirTags have only been on the market for a short time, many users won't be aware of that nuance.

What's troubling about this story is that Rauch reported the bug to Apple in mid-June. For 3 months this vulnerability has been present. According to Rauch himself, to the cybersecurity journalist Brian Krebs, Apple was never transparent in the process, nor did he highlight with what margin they would fix this vulnerability.

Apple sent an email to Rauch a few days ago in which they confirmed that they would soon send a security patch solving this problem. Meanwhile, the most this computer security specialist had received from Apple was an email thanking him for the information and asking him not to filter it so that no criminal could take advantage of it.